Companies need to build a culture of understanding about security and to make
sure that everyone knows they play an important role in protecting the club against
attack.
truly fortunate, but it comes at a
cost. You have now been labeled a
generous victim that tends to pay
ransoms. In the dark web, word
travels fast and you will quickly
become a target in perpetuity. Odds
are that you will not be able to
recover your data because the
hacker will take your money and
not deliver the decrypt information
you will need to unlock your data.
If you have “all” of your data
backed up on a device that is not
connected to the infected
computers, you “might” be out of
the woods on this with nothing
more than a very expensive and
unexpected purchase of computing
equipment. However, have you
considered the downtime while
you frantically have the IT person
purchase and set up and reinstall
the programs and import your
good backups, in peak summer
operations.
In financial terms, what does
one day of down time cost your
club in a total black out situation?
What about two or three days?
What is the public’s perception of
the ransomware attack? What
might they be thinking about the
information they provided you
and how it may have suddenly
become vulnerable or exposed?
SCENARIO 2: DATA LEAKAGE
This brings me to my second
scenario and that is personal
information. In Canada, we call
this PII or Personally Identifiable
Information, which is broadly
defined as any information that
can be used to identify an
individual, either directly or
indirectly.
According to The Personal Infor-
mation Protection and Electronic
Documents Act (PIPEDA), this
includes, but is not limited to,
names, addresses, email addresses,
phone numbers, Social Insurance
Numbers (SIN), and financial
information. It also encompasses
data points like IP addresses and
device identifiers if they can be
linked to an individual.
Imagine that one or more of
your members’ information is
strewn about the dark web and
shared with other hackers (usually
for a cost). Imagine for a moment
that the club member has a low
tolerance for the lack of care and
attention given to their personal
information they placed with your
club that is now open for the
underworld to see.
These days it is practically
inexcusable to not safeguard PII. In
fact, individuals may take legal
action against private businesses
that leak or are found responsible
for the leakage of PII.
14
Golf Business Canada
According to PIPEDA, organ-
izations can face fines of up to
$100,000 for violations and
depending on the specific law and
the nature of the violation, penalties
can be higher, potentially reaching
millions of dollars. For example,
under PHIPA (Personal Health
Information Protection Act),
individuals can be fined up to
$200,000 or face imprisonment,
while organizations can be fined
up to $1,000,000.
IT STARTS AT THE TOP
So, what can be done to lessen the
odds of becoming a target of a
cyber-attack? Leadership must
drive security. If the business
operator does not prioritize
cybersecurity, no one else will. Far
too often we see failed security
programs, abandoned training
programs and money that is spent
on ineffective or even overkill
security technology. One of the
main reasons is that the initiative to
secure the company is left to the IT
person, and not the owner of the
business.
Typically, the IT person is the
one who is called upon when
something is not working. They
show up, fix the problem and then
disappear like a maintenance
person would after completing
their repairs. Rarely do they share
their concerns with management
about security or other IT related
items because they think they will
be shot down, ignored or given lip
service by the manager or owner of
the business.
The IT person may already
know the network is a disaster
waiting to happen but cannot
muster the courage to face the boss
and explain their concern. They
may feel like they already know
the outcome… such as, “yeah great
idea, we should look at that next
year”. Or, “we don’t have the